[openstack-dev] [keystone] [trusts] [all] How trusts should work by design?
Alexander Makarov
amakarov at mirantis.com
Thu Feb 19 18:15:45 UTC 2015
@Renat, I like the idea. For now we have a spec:
https://github.com/openstack/keystone-specs/blob/master/api/v3/identity-api-v3-os-trust-ext.rst
It's consiedered to be enough but as for me it lacks TL;DR section :)
On Thu, Feb 19, 2015 at 8:15 PM, Renat Akhmerov <rakhmerov at mirantis.com>
wrote:
>
> On 19 Feb 2015, at 18:32, Alexander Makarov <amakarov at mirantis.com> wrote:
>
> @Renat, They are conceptually different:
> - regular tokens are created for the owner of addressed resource
> - trust scoped tokens are for trustees and have some security restrictions.
> The case is about disallowing a trustee to aquire a regular token allowing
> him anything the trustor is allowed. It'd be an exploit.
>
>
> Alexander,
>
> Thanks for explanations. I kind of get the general idea, yes. What is best
> source where we could go and read in details about that? The only page I
> was able to find is https://wiki.openstack.org/wiki/Keystone/Trusts but
> it would be nice if something more tutorial-like existed.
>
> Renat Akhmerov
> @ Mirantis Inc.
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
--
Kind Regards,
Alexander Makarov,
Senoir Software Developer,
Mirantis, Inc.
35b/3, Vorontsovskaya St., 109147, Moscow, Russia
Tel.: +7 (495) 640-49-04
Tel.: +7 (926) 204-50-60
Skype: MAKAPOB.AJIEKCAHDP
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150219/c39edee8/attachment.html>
More information about the OpenStack-dev
mailing list